[tor-dev] Quantum-safe Hybrid handshake for Tor

Mon Jan 4 00:14:45 UTC 2016

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 1/3/2016 11:24 PM, Ryan Carboni wrote:
> 
> Given the slow time it takes to roll things out, a timeline which
> begins with trusted directory keys include post-quantum crypto
> first, and which ends in enabling clients to use post-quantum
> crypto would be best.
> 

That is wrong. Read Yawning's previous message to this thread. If we
try to do things on all-or-nothing and right-now-dont-care basis we
might end up doing nothing at all and waste precious time. Post
quantum crypto for directory signing keys is useless at this moment,
because quantum computers don't exist yet. A conspiracy theory that
the NSA already has super duper quantum computers since n years ago
and already cracks all curves is something too much to digest, and I
prefer to build a timeline and establish priorities based on real
world evidence and research papers as opposite to conspiracy theories
and assumptions.

Back to the point, the directory signing keys are used to sign
consensus documents. A consensus document has a very short limited
lifetime (valid until). This means that if the keys are compromised
(broken by quantum computers) after the end of life date, it's an
useless attack that offers nothing. The only way this attack would
work is if the attacker had the ability to compromise the directory
keys in real time (almost instantly), not probably at some time in the
future.

On the other hand, we have evidence that netflow traffic and whole
internet traffic (even if encrypted) is captured and might be stored
in unknown quantities for unknown periods. While "it is safe to
assume" quantum computers so powerful to make a difference don't exist
yet, and probably won't for a while longer, we can be certain that the
technology to store massive amounts of data already exists and it is
quite accessible and relatively cheap for attackers such the ones in
our threat models.

So, yes, the threat of data collection now for future compromise is a
much more realistic threat than someone having right now a super duper
quantum computer which can crack currently used crypto in real time.
Adding something quantum safe in link encryption for starters is worth
looking into, and in the future of course changes will be applied to
upper layer crypto as well.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBCAAGBQJWibl1AAoJEIN/pSyBJlsRedwIAIdi0F4MYRZwJ1RZj9ME23e7
HBYLu7Bu3ZlGdwacbKMhj2UDCfSExghrEfT+6SefsSBMb+OVFM/pGAb+QB3F77XB
midX+prpmYcxFnUKR3hwrRv0oNalvDwf1jq+RsrcH4Evtx3jgyL6yWumNhUG0sGH
jKf0c5BcIdEF4d0G3Mj3z1EIalC1+uq2AfcaWFbZpVLEZimrDXJB4e+bVIGj9uPK
kLY/i7WNKFSJL5CarD+lpxSIZ4gahUKNfglBBYxLKgDIJS188vc/ZSU287+v1whb
6LSaQrGUEJA8vgxVC+886+OF0ZvxdE94RACrEURmD9FyFYEM2T7CABSwtX0E9Bs=
=HFoX
-----END PGP SIGNATURE-----